Postmortem: TanStack npm supply-chain compromise
Summary
An in-depth postmortem details a supply-chain compromise on TanStack npm packages in May 2026, including 84 malicious versions across 42 packages. It explains a chain of three vulnerabilities: PR target trust, cache poisoning, and OIDC token extraction that enabled unauthorized npm publishes. The postmortem provides detections, root causes, lessons, and concrete mitigations for teams relying on GitHub Actions and npm publishes.